Typed Security: Preventing Vulnerabilities By Design

What if your type system could be your best security tool? Learn how to encode security rules into types, making entire classes of vulnerabilities simply impossible.

#1about 3 minutes

Introduction to domain-driven design principles

Domain-driven design (DDD) helps structure code to match the business domain by using concepts like entities, value objects, and aggregates.

#2about 4 minutes

Making illegal states unrepresentable with types

By designing data types so that invalid combinations cannot be expressed, the compiler can prevent bugs and enforce business rules automatically.

#3about 3 minutes

Avoiding null pointer exceptions with optionals

Using the `Optional` type in languages like Java explicitly models the potential absence of a value, forcing developers to handle empty cases.

#4about 2 minutes

Overcoming primitive obsession with custom types

Wrapping primitive types like strings and integers in custom types (e.g., `UserId`) prevents logical errors like mixing up different kinds of IDs.

#5about 9 minutes

Modeling a business workflow with rich types

An email verification process is modeled using smart constructors and sum types, replacing a simple boolean flag to guarantee correctness.

#6about 2 minutes

Applying typed security to OWASP vulnerabilities

Type systems can be used to systematically prevent common security flaws listed in the OWASP Top 10, such as injection and access control issues.

#7about 7 minutes

Using types as authorization tokens

Replacing boolean authorization checks with type-based access tokens ensures that protected functions can only be called after a successful permission check.

#8about 2 minutes

Preventing SQL injection with a query type

Differentiating between a raw string and a dedicated `Query` type at the compiler level prevents accidental string concatenation and forces safe data handling.

#9about 4 minutes

Preventing data leaks with data transfer objects

Data Transfer Objects (DTOs) act as a boundary layer, exposing only necessary and safe data to external clients while protecting sensitive internal models.

#10about 2 minutes

Eliminating XSS with a dedicated HTML type

In frameworks like Elm, treating HTML as a distinct type ensures that all string inputs are automatically sanitized, preventing cross-site scripting attacks.

#11about 2 minutes

Structuring applications with clean architecture

Architectural patterns like Clean or Hexagonal Architecture isolate the pure business logic core from external dependencies, complementing a type-driven approach.

#12about 2 minutes

Key takeaways for building secure applications

The core principles for secure design are to make illegal states unrepresentable, parse instead of just validating, and use the compiler as a security tool.

#13about 17 minutes

Q&A on type systems and legacy code

The speaker answers audience questions about effective languages, limitations, frontend vs backend validation, and applying these concepts to legacy codebases.